ISO 42001 is the first international standard for AI Management Systems (AIMS). If your organisation is certified or working towards certification, you already have a significant head start on EU AI Act compliance. This mapping shows exactly where the two frameworks overlap — and where gaps remain.
Strong overlap
~58%
Partial overlap
~42%
Total head start
~65%
Net-new AI Act work
~35%
ISO 42001 (published December 2023) provides a management system framework for responsible AI. The EU AI Act (Regulation 2024/1689) is binding law with specific prescriptive requirements. ISO 42001 certification gives you the governance structure — but the EU AI Act adds legally mandated technical requirements, documentation formats, and enforcement mechanisms. Companies pursuing both get the best of both worlds: a management system plus legal compliance.
Risk management system and quality management system require documented policies, but with prescriptive EU AI Act-specific content
Requires an AI policy and measurable objectives for responsible AI use
Remaining work: ISO 42001 AI policy is general-purpose. EU AI Act requires policies specifically addressing the risk categories defined in Articles 5-7 and compliance with Annex III/IV obligations
Continuous risk management covering health, safety, and fundamental rights
Comprehensive AI risk assessment framework covering risks to individuals and organisations
Remaining work: Strong overlap. ISO 42001 risk assessment aligns well but must be extended to explicitly cover EU AI Act's fundamental rights analysis (Article 27) and foreseeable misuse scenarios
Lifecycle obligations from design through post-market monitoring
Controls for AI system design, development, deployment, operation, and retirement
Remaining work: ISO 42001 lifecycle controls provide a strong framework. EU AI Act adds specific prescriptive requirements at each stage (e.g., Annex IV documentation format, Article 12 automatic logging)
Training, validation, and testing dataset governance with bias detection requirements
Data quality, provenance, and lifecycle management for AI training and operation
Remaining work: Excellent overlap. ISO 42001 data controls cover most Article 10 requirements. Gap: EU AI Act requires documented demographic representativeness assessment and specific bias detection methodology
Nine-section prescriptive technical documentation package
General documented information requirements and AI system documentation
Remaining work: ISO 42001 requires system documentation but does not prescribe the specific nine-section Annex IV format. You will still need to produce the EU AI Act technical file in the regulated format
Instructions for use for deployers; AI interaction disclosure for end users
Transparency and explainability controls for AI systems and their outputs
Remaining work: ISO 42001 establishes transparency principles. EU AI Act Article 50 has specific product-level requirements (disclosure UI, AI content labeling, deepfake marking) that go beyond policy
Technical measures enabling human monitoring, intervention, and override of AI outputs
Human involvement controls in AI system operation and decision-making
Remaining work: ISO 42001 addresses human oversight at policy level. EU AI Act requires product-level features: stop buttons, override mechanisms, confidence score displays, and minimum staffing
Post-market monitoring plan with drift detection and incident reporting
Performance evaluation, monitoring, measurement, and analysis of AI systems
Remaining work: ISO 42001 monitoring aligns well with Article 72. EU AI Act adds specific requirements for serious incident reporting to authorities (Article 73) within 15 days (2 days for imminent risks)
Fundamental Rights Impact Assessment for deployers of high-risk AI
AI impact assessment covering effects on individuals, groups, and society
Remaining work: Strong alignment. ISO 42001 impact assessment framework covers similar ground. EU AI Act FRIA must explicitly reference EU Charter of Fundamental Rights articles and notify market surveillance authorities
Provider obligations extend to third-party AI models used within the system
Controls for externally provided AI components, models, and services
Remaining work: Good overlap. ISO 42001 third-party controls provide a foundation. EU AI Act requires understanding third-party model training data, limitations, and ensuring full Annex IV documentation coverage
EU AI Act conformity assessment and EU database registration
Internal audit and management review processes
Remaining work: ISO 42001 audit processes don't substitute for EU AI Act conformity assessment. Registration in the EU AI database (Article 49) is a new, separate requirement
Corrective actions including system withdrawal if non-compliant
Nonconformity handling, corrective action, and continual improvement for AI systems
Remaining work: ISO 42001 continual improvement framework aligns well. EU AI Act adds the nuclear option of market withdrawal (Article 20) and specific authority notification requirements for non-compliance
Strong foundation: ISO 42001 covers AI risk assessment, data management, lifecycle management, impact assessment, and third-party controls — giving you approximately 60–70% of the EU AI Act framework.
Best alignment in the market: ISO 42001 is the closest existing standard to the EU AI Act. No other certification gives you a bigger head start.
Remaining gaps: Annex IV technical documentation (specific 9-section format), Article 50 product-level transparency features, Article 14 product-level human oversight mechanisms, Article 49 EU database registration, and Article 43 conformity assessment.
Key distinction: ISO 42001 is a management system standard (governance, process, policy). The EU AI Act adds legally binding technical requirements with penalties up to 7% of global turnover. You need both.